Alloy users setting up multi-factor authentication (MFA) for their account will be able to choose between setting it up via a Timed One Time Password (TOTP) or via SMS (for US numbers only).

As a reminder, the MFA set-up screen will be triggered during user login in the following scenarios:

• If an account currently requires MFA: users within that account that do not already have MFA set up will be prompted to set up TOTP or SMS the next time they log in. (Users that have already set up MFA will not need to take any action.)
• If an account currently does not require MFA but then turns on this requirement for their users: users within that account will then be prompted to set up MFA - either TOTP or SMS - the next time they log in.
• If an account’s users currently has MFA set up as SMS: their account administrator can reset it so the next time they log in, users within that account have the option to set up MFA as TOTP.

When logging into Alloy, users can set up TOTP by scanning a QR code on the screen with their authenticator app. After entering in a one-time code provided by their authenticator app, MFA will be successfully enabled for all future logins.

Clients utilizing portfolio workflows as part of their decisioning will now be able to benefit from enhanced rule context in their review experiences. Agents will now have more visibility into why a particular outcome was reached, how rules were applied and what the results of those rules were.

Clients that partner with fintechs to deliver embedded finance products can request complimentary view-only Audit Access of their fintechs’ Evaluations, Entities, Workflows, and Journeys through a Parent Auditor account. This streamlines the way that sponsor banks / EMIs and fintech partners work together and share information about their compliance policies and decisioning within Alloy.

Through the Parent Auditor-Child account structure:

• Evaluations, Entities, and Applications across their fintech portfolio are available to the Parent Auditor through an aggregated view in the Alloy Dashboard.
• Workflows and Journeys across their fintech portfolio are visible to the Parent Auditor at the Child account level.

To get Audit Access, please reach out to your Alloy representative. Learn more about Alloy for Embedded Finance (AFEF) through our February 29, 2024 change log.

Clients using the Onfido SDK plug-in may see minor changes to the user experience due to a new Onfido version upgrade. The Onfido Web SDK v14.2.2 upgrade contains enhanced security and improved accessibility support.

No changes are required on the client side. Please see Onfido’s SDK changelog and Web SDK Migration documentation for full details.

Clients will now have more visibility into the triggered rules and outputs behind an evaluation, providing agents with the necessary context for why an individual was flagged for review. 

The expanded Outcome Reasons modal on review pages (such as the Evaluations, Application Review, and Transaction Evaluation pages) will provide:

• A plain language description of the rule (if provided), 
• The full underlying rule logic
• Visual indicators for the outcomes of each of the tags that denote whether they satisfied or did not satisfy the rule logic.

Clients using Ongoing Monitoring will benefit from additional insight into the specific transactions or account changes which contributed to threshold breach for more complex rules using aggregations. Rules that have this type of evidence associated with them will be indicated by a receipt icon.  We currently support ‘‘evidence’ for the following Ongoing complex outputs:

• Account history
• Transaction history
• Entity history

For clients on the SDK, when step-up nodes or hosted links expire, a dedicated screen appears to explain to the end user what happened.

Further details on when the expiration screen displays:

• Step-up node expiration where after a certain number of days, hours, and/or minutes, the application is automatically advanced to the node to which the expired outcome for that action is mapped. End users who attempt to re-open the SDK will see the expiration screen. This can be configured from the Journey graph node settings. 
• Hosted link expiration where the link will no longer surface the SDK experience. End users who attempt to re-open the SDK will see the expiration screen. This can be configured in SDK settings per SDK key.

[image of Expiration Screen]

Please note at this time, the copy on the expiration screen cannot be modified.

Clients can now merge multiple entities into a single entity through our new dedicated API endpoint. For instance, if a client identifies a duplicate entity, they can resolve this by calling the new endpoint to merge the duplicate entries and retain a single Alloy entity ID. All associated information with the duplicate entity will be retained in the merged record and be available for future decisioning and reviews for that entity.

For more information on how to leverage the endpoint please reference our documentation: https://developer.alloy.com/public/reference/post_entities-merge

Ongoing Journeys and their manual review nodes will now have available outcomes of "Suspicious" and "Dismissed" rather than "Approved" and "Denied". These new outcome names reflect the riskiness of a post-origination event, compared to the prior origination-centric language.

Any client using Journeys and the Ongoing product can begin utilizing these “Suspicious” and “Dismissed” outcomes in new Journeys and to modify outcomes for existing Ongoing Journeys.

These new outcomes are visible during Journey building and in the Review Queue. (Please note these new outcomes are not yet captured in analytics.)